JSON-RPC API: User's Password

[c0da]

Hello everyone,

I've started playing with the JSO-RPC Api, and noticed that every time the server sends an update (next song event, play, pause, etc), it includes my user and password in the body. Something like this:

root@debian:~# telnet localhost 1705
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
{"jsonrpc":"2.0","method":"Stream.OnUpdate","params":{"id":"Spotify","stream":{"id":"Spotify","status":"playing","uri":{"fragment":"","host":"","path":"/librespot","query":{"bitrate":"320","buffer_ms":"20","codec":"flac","devicename":"Nova","name":"Spotify","password":"XXXX","sampleformat":"44100:16:2","username":"XXXX"},"raw":"spotify:///librespot?name=Spotify&username=XXXX&password=XXXX&devicename=Nova&bitrate=320","scheme":"spotify"}}}}

It just seems that anyone on my network could telnet to that port and see my user/pass. Is this the normal behaviour, something misconfigured, or a security bug?

Thanks in advance!

[ThYpHo0n]

I observed that behaviour just yesterday on my setup too. Maybe just prevent the username/password from getting exposed and string replaced in the raw string would be enough?

[badaix]

It's "normal behaviour" and should definitely be changed

[badaix]

fixed a490402

[c0da]

Excuse me @badaix, do you create a new .deb package every time you fix a bug, or should I compile from source?. Thanks in advance!

[badaix]

Not for every bug. But the v0.12.0 will be released soon (I hope during the next weekend).
Sometimes I'm closing bugs after having built a release and sometimes when the bug is fixed.